Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m creating my own authentication system (using Java). When user is authenticated and user object is loaded from datastore, it is secure to store this user object to session and assume when user has user object in session, it is real and valid user object that has been obtained by legit login? Are there any possible security issues that I’m not seeing here?
In principle yes.
You alone are in full control of the session variables (the client has neither read nor wright access to these variables). If the authentication mechanism is circumvented, it is not because the user has set his own session variable (as he could for instance set the content of cookies).
This being said, there are of course ways hack web pages (read up on OWASP top 10, including CSRF, XSS and so on).